How To Become A CISO, Part 1

Think you're ready for the top job? Here's part 1 of a series to help you land that prime chief information security officer position.

So you want to be a CISO, huh? Think you're ready to lead a small band of white knights into battle against a countless, hidden enemy? Ready to play both savior and scapegoat, depending on what the day brings? Ready to beg, borrow, and steal for the resources you need to protect your company?

Yes? OK, then, you're ready to do the job... but can you get the job? For the next several weeks, we're dedicating Mondays to helping you find the path to the big job, which won't be easy to define.

"There's not a standard path [to the CISO job] like so many other professions," says Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. "We can't even agree on how to spell cyber security." (Cybersecurity? Cyber-security?)

Even the words "engineer" and "administrator" don't mean the same thing from company to company. The bad news, then, is that it is hard to know what career steps to take next.

The good news, though, is that the ladder you're already climbing could lead you to the CISO seat.

Despite the variety of routes to the top, Aiello does identify a few consistent trends:

Most CISOs are hired from outside the company. Following the perplexing logic that somebody you don't know must be smarter than somebody you do know, "the vast majority" of organizations look outside their walls for a CISO, Aiello says. However, they will be more likely to hire an insider for the CISO job if it's a newly created position.

So being in the right place at the right time may help you get that newly minted CISO gig, but beware...

A company's first CISO has less power than its subsequent CISOs. "That first CISO tends to not have as many teeth as the second one," Aiello says. They're likely to be a step below the true C-suite and report to the chief information officer.

Aiello thinks the CISO should be separate from the rest of the IT organization, because security not only impacts technology. "Security organizations are still relatively small [in size], in comparison to the IT department, but huge in terms of importance."

Most companies want to hire a CISO who's already a CISO somewhere else. This raises a question: How do you get that first CISO job if you can only get one if you already have one? Aiello says you may convince a new employer to take you on if you've reached the highest security position at your current company -- like director or vice president of security -- as long as you have experience within the appropriate industry vertical: finance, healthcare, etc.

CISOs are more likely to come from a technical background. Though there are people who rise to the security job from outside the IT department -- we'll hear some of their stories in the course of this series -- Aiello says that most of today's CISOs began their careers in an information techology job of some ilk. As the field matures and more IT functions are outsourced, that may change.

A CISSP certification isn't necessarily required for a CISO. In order to have climbed the infosecurity ladder high enough to be eligible for the "chief" title, you probably will have needed a CISSP already. However, if you've made it this far without one, you probably won't need one now, says Aiello. A four-year college degree, however, is something a prospective employer will want.

As the CISO job grows bigger and more important, Aiello says, the key is proactively gathering all the knowledge and experience you can.

"Raise your hand. Volunteer," he says. If you've spent most of your career outside of the nitty-gritty, hard-core IT security world, spend more time learning about the tactical side -- the day-to-day tasks of securing a business. If you are from a heavy technical background, learn as much as you can about the business side.

"Understand the problems your technology is there to solve," he says. "Understand what [the company is] securing and why they're securing it."

In the coming weeks, we'll spin out the origin stories of men and women currently holding the CISO position at a variety of organizations. Come back to Dark Reading next Monday for the first "how I became a CISO" tale.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

This is a great article, and I can't wait for the rest of the series. Mark Aiello makes some excellent points, especially regarding companies where the CISO is a newly formed role. What I would like to know is why a company that creates the new CISO role would have that person report to the CIO. That creates a potential conflict of interest, and violates a sacred rule of integrity – the separation of duties (SoD). SoD is a fundamental principle of regulations like SOX and GLBA, yet organizations do not see that it also applies to security, where it is just as critical as it is to the financial aspects of the organization. But how do you communicate that to an organization where the CIO is firmly entrenched, and has great influence with the rest of the C-suite? It would be interesting to hear from CEOs of organizations where CISOs report to CIOs, to see what their rationale was for allowing that reporting structure.

@GonzSTL This is a good idea: "It would be interesting to hear from CEOs of organizations where CISOs report to CIOs, to see what their rationale was for allowing that reporting structure." Maybe we can do a story or two on that in the near future.

@GonzSTL I'd imagine that most companies put the CISO under the CIO, because they still see security as a part of IT, and only IT. I understand why -- most of the security efforts rely on IT in one way or another. It does seem a bit silly to name anybody "chief" and have them report to anyone but the CEO, but I imagine that some companies just add the position to add a new tier to the payment structure and give the top security person a raise.... it amazes me just how often that sort of thing happens in big corporations

"A company's first CISO has less power than its subsequent CISOs". Quite honestly, CISOs are never really empowered. With few exceptions, they tend to be placed at the upper end of middle management or the lower end of upper management. Ideally they should have an equivalent level of influence as a CFO, CIO, or COO.

"CISOs are more likely to come from a technical background." God no. On paper they might appear to have significant technical breadth/depth but in reality have had a career based in policy/compliance. CISOs that are technical are a rarity in my experience.

"A CISSP certification isn't necessarily required for a CISO." It's not required in the sense that it's a worthless certification that does nothing to asset the level of security apptitude one possesses. But I am yet to see a CISO candidate opening/job posting that does not have "CISSP or equivalent" in the qualifications.

That's a great point about how important (and prevalent) CISSP certification actually is for someome in the CISO role. My suspicion is that it's necessary, primarily, to reassure the CISSP's that are working in the group, that the CISO knows the basics, or at least talks the same language. But how it relates to the broader policy and leadership functions of the job is definitely open for discussion...

Sara, that would be a very interesting story. We often hear from CIOs and CISOs regarding this topic, but rarely hear from CEOs. Recently, the SEC commissioner hinted that cyber security should be a part of the board of directors' risk oversight responsibilities. That almost implies that the CISO should have a seat at the C table.

@Sara, I think that most CISO are assigned under the CIO is because most companies do not realize how effective a CISO can be if he\she were under, say the CFO. In all of the companies I've worked for the CFO was a very big deal and had power, thus that gave the CISO a direct ear to someone who could make a difference, and let's face it, if you (CIO) control the CISO, you control the message.

@savoiadilucania That's interesting that your experience would differ so much from what Mark sees in his work match-making CISOs and companies. I wonder if it differs by region (Mark's in the northeast) or industry sector? Most of the CISOs I know also come from IT backgrounds, but I think that's changing.

The CISSP exam covers the 10 domains of the (ISC)² CBK, a collection of topics relevant to information security professionals. I admit that the CBK is broad and doesn't necessarily mean that the CISSP has advanced or in depth knowledge in any or all of those domains, but the important thing to note is that it shows that the individual is knowledgeable in those areas critical to IT security. In addition to the exam, maintaining the certification involves successful completion of CPEs not just in the CBK but also in soft skills as defined in their "Group B" professional development activities. (ISC)² recognizes the importance of those skills and the criticality of communication laterally, upward, and downward in the corporate structure. Some of the Group B topics are management courses, interpersonal communications skills, team development skills, etc. The ideal CISO must be able to bridge the gap between the geeks and the suits, and convey the security message adequately and effectively. I get the argument that certifications can be obtained by paying lots of money to a "certificate mill", but you have to start or end somewhere. If businesses and technical experiences are equal, wouldn't you want a certificate to be a tie breaker, especially one that doesn't involve just geeky stuff? One of my favorite sayings to my students: organizations want to hire geeks to protect their IT assets, but they don't want to hire a geek with the personality of a door knob.

CISO, like most other positions of leadership is just that, leading and setting the tone. I can see why you'd want you security wonks, which I am, to have their CISSP. I shows that they have proven that they are capable of learning a framework to learn concepts that will guide and further their careers, but I can also see why it really doesn't matter if the CISO has one or not... you're not hiring a CISO because they have a CISSP, you're hiring them because you believe they have proven through prior experience, responsibilities and positions that they are the right person for the job, cert or not.

The one thing that any CISO needs that cannot be quntified is the power of persuation, he\she needs to be able to take the information for subordinate leaders and craft into a message that is powerful enough so that the people who really do make the decisions understand what is required to hold back\fight the threat(s) and what those threats are.

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot's verified boot and execute an unsigned kernel, embedded in a legacy i...